First, I am NOT looking for rock star security. We just at a glance want to prevent "sudo su -" and it is a policy here to always use sudo when running commands and we all want that. Ideally we would like to log something if someone does try "sudo su -" to please obey the culture and never become root so we can reverse engineer all commands run and what happened. Is there a way to do this to prevent sudo su - but allow "sudo su - serveruser"

"we all want that" as in your organization, or as in a generalized assumption about best practices/opinion that does not always hold true (I am probably not the only one considering the ubuntu/OSX-style sudomy as helpful to safety as using a blunt saw over a sharp one is - adds complexity where you should be concentrating on the actual task at hand).
–
rackandbonemanDec 21 '12 at 14:15

"we all want that" as in the team wants that. clearly some places want rock star security(financial, government) so I cannot say we all want as in the world.
–
Dean HillerDec 21 '12 at 14:20

2 Answers
2

You can specify the full "su - foouser" in the sudoers file - the entire command string must be matched, which prevents a simple "su -". On the downside, you'll have to list all acceptable destination users with separate allowed commands.

Alternately, you can use sudoers to specify groups of destination users and have them use the "sudo -U " format.

actually, you can do negation. I have done that just this morning and tested and it works though it is not well-advised. In case of sudo whitelisting is very secure but blacklisting is usually not very secure as there are other ways to work around it and become root still in general, but all the admins have root access so they could destroy the machine anyways.
–
Dean HillerDec 21 '12 at 14:22